Notifications
Clear all
Topic starter
27/06/2026 1:23 pm
TL;DR: Ransomware delivery has shifted further toward email, with Abnormal AI citing a 600% increase in active ransomware groups since 2020 and saying over 76% of ransomware is delivered through email. That pattern makes inbox security, credential hygiene, and user-facing controls part of ransomware defence, not just detection.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- Since the beginning of 2020, we’ve seen a 600% increase in the number of active ransomware groups.
- Over 76% of ransomware is delivered through email.
Questions worth separating out
Q: How should security teams reduce ransomware risk from email-delivered attacks?
A: Treat email as an identity entry point, not just a messaging channel.
Q: Why does email still matter so much in ransomware campaigns?
A: Email remains effective because it reaches people directly and can trigger credential theft, session hijacking, or payload execution with very little attacker effort.
Practitioner guidance
- Harden inboxes as identity gateways Prioritise phishing-resistant authentication, attachment sandboxing, and link detonation for mail flows that can reach privileged users or administrators.
- Reduce standing privilege on user-linked accounts Review where ordinary users still have access to shared drives, admin portals, SaaS consoles, or delegated workflows that could accelerate ransomware impact after a mailbox takeover.
- Segment recovery paths from production access Separate backup, restore, and incident-response credentials from day-to-day identity paths so ransomware operators cannot use the same access they steal to block recovery.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- The speaker discussion on how ransomware delivery methods have evolved over the past decade.
- The practical guidance on protecting inboxes against ransomware-focused phishing and delivery chains.
- The live Q and A with Abnormal CISO Mike Britton and Theresa Payton on current attack vectors.
- The CPE credit eligibility details for attendees after viewing the recording.
👉 Watch Abnormal AI's webinar on ransomware delivered through email →
Email-delivered ransomware: what IAM teams need to account for?
Explore further
27/06/2026 2:43 pm
Email-delivered ransomware is an identity problem disguised as a malware problem. The initial path is often a human trust event, but the damage depends on what that user interaction can reach. If inbox compromise can lead to credential reuse, privileged access, or lateral movement, then email security and identity governance must be treated as one control plane. Practitioners should design for the compromise path, not just the payload.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when ransomware spreads from email into business systems?
A: Accountability sits with the teams that own email security, identity governance, endpoint containment, and recovery readiness. If those functions are split, attackers exploit the seams. Organisations should define ownership for the full path from inbox delivery to access containment and restoration.
👉 Read our full editorial: Ransomware delivered through email is accelerating enterprise risk
